[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Swen Really Sucks

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Swen Really Sucks
From: "Nick FitzGerald" <nick@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Sep 2003 14:59:41 +1200

"Schmehl, Paul L" <pauls@xxxxxxxxxxxx> replied to me:

> > Swen has code to locate the "Default Mail Account" under the Internet 
> > Account Manager registry key then to extract the "SMTP Email Address" 
> > value appropriately.  This is then stored in a variable in the virus 
> > that is later used for the argument to the "MAIL FROM:" SMTP command 
> > while sending Email.  (It is possible that some other part of 
> > the Swen 
> > code I have not closely analysed surreptitiously changes the contents 
> > of this variable in some circumstances, but there is no obvious code 
> > that also alters the contents of the buffer used to hold the string 
> > pulled from the registry location just described...)
> > 
> > This is all based on disassembly and is corroborated by reports from 
> > other researchers who have watched it under debuggers, emulation, etc.
> 
> If it's as poorly written as most malware is, it most likely screws this
> up as well.  ...

8-)

You should be careful -- I get hate mail for saying stuff like that...

> ...  All I can tell you is that I get tens of bounces on my
> personal home email account daily, and I can assure you that I am not
> infected.  I'll take a look tonight (because I'm sure there will be at
> least 50 or 60 virus mails and bounces in my deleted items folder) and
> see what's in the headers.

Ahhhhh -- I didn't understand what you were saying before.

I am getting such bogus "bounces" too (about one for every ten 
"natural" samples I receive), but recall that many stupid Email gateway 
scanners will send "bounces" to addresses in the  From: and/or Sender: 
headers (and even to addresses in Reply-To:, X-Originally-From: and 
other weird custom headers -- clearly these products are written by 
chimpanzees that cannot read RFCs...).

> You can disassemble and run simulations til you're blue in the face, but
> things don't work perfectly in the real world, as I *know* you know.

Indeed I can, but when I do -- like Joe -- I tend to take quite some 
professional pride in the work (unlike the folk who wrote the SMTP 
processors that are busy sending you those "bounces").


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Swen Really Sucks
  - From: Schmehl, Paul L

Prev by Date: RE: [Full-Disclosure] An open question for Snort and Project Honeynet
Next by Date: RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Previous by thread: RE: [Full-Disclosure] Swen Really Sucks
Next by thread: [Full-Disclosure] email worms, spam etc etc
Index(es):
- Date
- Thread